b'G:.O:"   U.S. GOVERNMENT\n         PRINTING OFFICE\n         KEEPING AMERICA INI\'ORMED\n                                                                   Office of the Public Printer\n\n\n\n\n         May 30, 2007\n\n\n         The Honorable Robert A Brady\n         Chairman\n         Joint Committee on Printing\n         1309 Longworth House Office Building\n         Washington, DC 20515\n\n         Dear Mr. Chairman:\n\n         In accordance with 44 U.S.c. 3903 and the relevant provisions of the Inspector\n         General Act of 1978, as amended, I am transmitting to the Congress the\n         Semiannual Report of the Oilice or the Inspector General (OIG) for the U.S.\n         Government Printing Office (GPO), covering the 6 month period of October 1,\n         2006 through March 31,2007, along with the following information as required\n         by law. This letter meets my statutory obligation to provide comments on the\n         orG\'s report and highlights management actions taken on the OIG\'s\n         recommendations, which may relate to more than one reporting period.\n\n         During this reporting period, Bruce R. James resigned from his position as Public\n         Printer following a four-year tenure. By operation of 44 U.S.C. 304, as Deputy\n         Public Printer I am serving as Acting Public Printer pending the nomination and\n         confirmation of a new Public Printer (on May 24, 2007, the President nominated\n         Robert C. TapeIla, GPO\'s current Chief of Staff, to be Public Printer). In\n         addition, during this period GPO\'s General Counsel, Anthony Zagami, retired\n         from Government service. He was replaced by Gregory Brower, GPO\'s previous\n         Inspector General ([G). J. Anthony Ogden, Deputy Inspector General, was named\n         as acting IG (and on May 23,2007, was appointed permanent IG). In addition,\n         the Superintendent of Documents, Judy Russell, retired in March 2007. Richard\n         G. Davis is serving as Director, Library Services & Content Management/Acting\n         Superintendent of Documents. In my view, the selection of a new Superintendent\n         of Documents should appropriately be made by the next Public Printer.\n\n         Genera) Comments\n\n         As provided for by law, this section offers my general comments on the OIG\'s\n         semiannual report and operations.\n\n\n\n\n         732 North Capitol Street NW   Washington, DC 20401\xc2\xb70001         PublicPrinter@gpo.gov\n\x0cThe Honorable Robel1 A. Brady     Page 2\n\n\nI.    Management Challenges. The Inspector General identified ten\n      challenges facing GPO\' s management. We agree that all of the areas\n      highlighted reflect areas that are either undergoing significant change or\n      are, by nature, dynamic and require continuing attention. Progress has\n      been made on many of these items in the reporting period and additional\n      work on these items continues on a daily basis. While we will maintain\n      our focus on each of these challenges, we note that one or more may be\n      overtaken or subsumed by new challenges undertaken by the next Public\n      Printer. The thorough organizational and technological transformation\n      that we have begun implementing during the last three years remains\n      critical to the future of GPO. This effort must continue if the agency is to\n      maintain its ability to provide public access to Govemment information\n      through the 21 st century. The necessary pieces have been put in place for\n      the next generation of GPO employees. Recruitment and training in the\n      required skills is well underway. New systems are being acquired or\n      developed, the most critical of which, known by the placeholder name\n      "Future Digital System" (FDsys), will preserve and provide pennanent\n      public access to Federal Government information.\n\n       r do not take exception to any of the ten challenges offered by the IG,\n       since all of them are vital to GPO\'s continuing transformation and to the\n       completion of our Continuity of Operations Plan (COOP). GPO cannot\n       afford to reverse its course - the completion of the transformation now\n       underway is critical to providing the Nation with a 21 st century digital\n       platform for providing a broad new range of choices in the delivery of\n       published Govemment information.\n\nII.    Audits and Inspections. During the reporting period, the OIG issued\n       five new audit and assessment reports, including two sensitive reports,\n       with recommendations to help improve operational performance.\n       Management has concurred with all of these recommendations and will\n       be addressing each one in the ensuing semiannual reporting period.\n\n          Cl   The tlrst repolt, an assessment (sensitive), Report on Early Oracle\n               fmplementation: fndependent Verification and Validatioll (JV& V),\n               provided recommendations that G PO strengthen controls and\n               mitigate risks associated with vulnerabilities identitled during\n               IV&V activities on two early Oracle implementation projects\n               conducted by an OIG contractor. GPO concurred with each of the\n               recommendations and proposed responsive steps to mitigate the\n               vulnerabilities.\n\x0cThe Honorable Robert A. Brady    Page 3\n\n\n          o The second report, an assessment (sensitive), Report on WebTrust\n              Assessment of GPO Certification Authority - Attestation Report, is\n              based on an attestation report issued by an OIG contractor, and\n              expresses the opinion that the assertions of GPO management\n              regarding its Certification Authority which SUppOlts the cross\n              certification of GPO\'s PKf with the Federal Bridge Certificate\n              Authority - are fairly stated. GPO concurs in this finding.\n\n          o   The third report, an assessment, Report on GPO PKI Certification\n              Practices Statement Compliance with the Federal Common Policy\n              Framework, provides the findings of an OIG contractor who\n              examined GPO\'s Cel1ificate Practices\n\n              Statement (required of organizations seeking accreditation as a\n              provider of managed PKI services), and detennined that the\n              Statement complied, in all material respects, with the\n              Government\'s X.S09 Certificate Policy for the Common Policy\n              Framework, as required by the Federal Identity Credentialing\n              Committee. GPO concurs in this finding.\n\n          o   The fourth report, Follow-On Report on GPO Purchase Card\n              Program, found that management and supervisory controls over\n              GPO purchase card cardholders should be strengthened. The audit\n              found evidence of unauthorized use of GPO purchase cards,\n              inadequate record-keeping, erroneous payment of State and local\n              sales taxes, inappropriately large purchases, and inconsistent\n              review of monthly statements. The report recommends GPO\n              strengthen management and supervisory controls over purchase\n              card use, and insure that cards are used in compliance with\n              applicable laws and regulations. GPO concurs with the\n              recommendations and will implement the requisite policies and\n              procedures to respond to them.\n\n          o   The filth report, Repotl all Peer-to-Peer File Sharing, indicates\n              that an audit found a file sharing protocol residing within the GPO\n              network domain and that such file sharing software can present a\n              security risk to GPO\'s network. The report recommends that GPO\n              strengthen controls over the use of peer-to-peer file sharing on the\n              GPO network. GPO concurs with the recommendation and has\n              proposed the appropriate responsive measures.\n\x0cThe Honorable Robert A. Brady     Page 4\n\n\nGPO is required to obtain an independent annual audit of its financial statements.\nThe audit firm contracted for this purpose issued an unqualified opinion on\nGPO\'s financial statements for FY 2006, stating the statements were presented\nfairly and in conformance with generally accepted accounting principles. The\naudit report indicated, however, that controls involving the billing process should\nbe strengthened, that certain reconciliation controls should be strengthened, that\ncontrols over recording and reporting environmental liabilities should be\nimproved, and that general controls for Information Technology should be\nimproved. GPO concurs with these recommendations and has planned Of initiated\nactions to address them.\n\nIII.    Investigations. The investigative work performed by the OIG to protect\n        against waste, fraud, and abuse merits recognition, as a case involving\n        theft of otlice supplies was successfully prosecuted and convictions were\n        obtained. Other accomplishments, such as the investigations that led to\n        recovery of fraudulent workers\' compensations claims, corrective action\n        against an employee for personal use of an agency vehicle, and pending\n        DO] prosecution of a contractor alleged to have made false claims, are\n        clear evidence orthe value of the OIG\'s investigative team in protecting\n        the public funds entrusted to the GPO.\n\nPrior Period Outstanding Recommendations\n\nAs required by law, this section summarizes management\'s planned action to\naddress remaining orG\'s recommendations still outstanding from previous\nreporting periods.\n\n                    Blank Passport Product Integrity and Security\n                     (Report No. AI-OS02, dated March 31, 2005)\n\nGPO generally concurs with the recommendations and has made continuous\nadjustments to its operations in order to address them. During the reporting\nperiod, foul\' of the eight remaining open recommendations were closed. GPO is\ntaking action to close the remaining four recommendations.\n\n          GPO Network Vulnerability Assessment (Report No. 06-02, dated\n                               March 28, 2006)\n\nGPO concurred with the four recommendations issued in this report, and has\nclosed one of the them. GPO is working with the OIG to implement steps that will\nclose the remaining three open recommendations.\n\x0cThe Honorable Robeli A. Brady       Page 5\n\n\n             GPO Oracle Program Stakeholder Analysis (Report No. 06-03,\n                                  dated March 31, 2006)\n\nGPO concurred with the report\'s thirteen recommendations and closed one of\nthem with the hiring of an Oracle Program Manager in March 2007.\nImplementation of responsive action on the remaining twelve recommendations is\nnow taking place under the direction of the Oracle Program Manager. GPO\nanticipates substantial progress in closing these recommendations during the\ncurrent reporting period.\n\n                  Inspection of GPO\'s Continuity of Operations Plan\n                      (Report No. 06-04, dated March 31, 2006)\n\nGPO concurred with the report\'s eighteen recommendations, all of which focused\non the requirement to establish a viable COOP Plan. In response to the\nrecommendations, GPO developed a comprehensive COOP Plan based on the\nFEMA template. GPO\'s plan was subsequently circulated, revised, and approved.\n The OIG considers twelve of the recommendations still open. GPO is working\nwith the OIG to attain closure of the open recommendations and, in fact, has\ntaken actions that it considers to have closed eleven additional recommendations\nsince the end of the reporting period.\n\nStatistical Tables\n\nStatistical tables as required by law are enclosed.\n\nIf you need additional information with respect to this report, please do not\nhesitate to contact Mr. Andrew M. Sherman, Director of Congressional Relations,\non 202-512-1991, or bye-mail at asherman@gpo.gov.\n\nSincerely,\n\n\n\n\nWILLIAM H. TURRI\nActing Public Printer\n\nEnclosures\n\x0ccc;   The Honorable Diane Feinstein, Vice Chairnlan\n      The Honorable Robert Bennett, Ranking Minority Member\n      The Honorable Mike Capuano\n      The Honorable Vernon Ehlers\n      The Honorable Kevin McCarthy\n      The Honorable Daniel K. Inouye\n      The Honorable Patty Murray\n      The Honorable Saxby Chambliss\n\x0cENCLOSURE I\n                  STATISTICAL TABLE FOR SECTION S(b)(2) - DISALLOWED COSTS\n\n                                                           Number of         Disallowed Costs\n                                                         Audit Reports Questioned Unsul2l2orted\nA.     Audit reports for which final action I had\n       not been taken by the commencement\n       of the reporting period                                 0                0           0\n\n       Audit reports issued during the period\n       with potential disallowed costs                          0               0           0\n\n       Total Costs                                              0               0           0\n\nB.     Audit reports on which management\n       decisions 2 were made during the\n       reporting period\n\n       ( i.)    Dollar value of disallowed costs               0            0               0\n\n       (ii. )   Dollar value of allowed costs                               112,927         63,935\n\nC.     Audit reports for which final action\n       was taken during the period, including;\n\n       ( i.)    Dollar value of disallowed costs               0            0               0\n                that were recovered by management\n                through otlsets against other\n                contractor invoices or nonpayment\n\n       (ii. )   Dollar value of disallowed costs                   0        0               0\n                that were written off by management\n\nD.     Audit repolts for which no final                         0           0               0\n       action has been taken by the end\n       of the reporting period\n\n\n\n\nt As defined by law, the term \'"11nal action" means the completion of all actions that the management of\nan establishment has concluded, in its management decision, are necessary with respect to the findings\nand recommendations included in an audit report, and in the event that the management concludes no\naction is necessary, final action occLlrs when a management decision has been made.\n2 As defined by law, the term "management decision" means the evaluation by management of the\ntindings and recommendations included in an audit report and the issuance of a tinal decision by\nmanagement concerning its response to such findings and recommendations, including actions concluded\nto be necessary.\n\x0cENCLOSURE II\n\n\n      STATISTICAL TABLE FOR SECTION 5(b)(3) - FUNDS PUT TO BETTER USE\n                  AGREED TO IN A MANAGEMENT DECISION\n\n                                                         Number of       Dollar Value of\n                                                         Audit ReRorts   Recommendations\n     A, Audit reports for which final action] had\n        not been taken by the commencement of\n        the reporting period                                    0                   0\n\n         Audit reports for which final action had\n         not been taken for new reports issued\n         during the reporting period with potential\n         funds put to bettcr use                                0                   0\n\nB.       Audit reports on which management\n         decisions 4 were made during the reporting\n         period                                                 0                   0\n\nC.       Audit reports for which final action was\n         taken during the reporting, including:\n\n         ( i,)    Dollar value of recommendations\n                  that were actually completed                  0                   0\n\n         (ii. )   Dollar value of recommendations\n                  that management has subsequently\n                  concluded should not or could not\n                  be implemented or completed                   0                   0\n\nD,       Audit reports for which no final action has\n         been taken by the end of the reporting period          0                   0\n\n\n\n\nJ Same definition as in Enclosure L\n" Same definition as in Enclosure L\n\x0c'